On Sun, 14 Jul 2024, Thomas K?ller wrote:
> Hi,
>
> I am trying to configure OpenSSH to allow root logins, without success so
far.
> So I could really use some advice.
>
> This is my server configuration:
>
> AllowUsers = thomas root
> AuthenticationMethods hostbased,publickey
> ExposeAuthInfo = no
> ForceCommand none
> GSSAPIAuthentication no
> HostbasedAcceptedAlgorithms ssh-ed25519
> HostbasedAuthentication yes
> HostbasedUsesNameFromPacketOnly yes
> HostKey /etc/ssh/host_key_sarkovy.koeller.dyndns.org_ed25519
> IgnoreRhosts yes
> IgnoreUserKnownHosts yes
> KerberosAuthentication no
> ListenAddress = 192.168.0.1
> ListenAddress = fd46:1ffa:d8e0::1
> LogLevel VERBOSE
> PasswordAuthentication no
> PermitEmptyPasswords no
> PermitRootLogin yes
> PermitTTY yes
> PermitTunnel no
> PermitUserRC yes
> PubkeyAuthentication yes
> PubkeyAcceptedAlgorithms ssh-ed25519
> UseDNS = no
> X11Forwarding no
>
> For now, the client machine is on a static IP address, just for testing
using
> my in-house network. But later the client machines will be on dynamic IP
> addresses, which is why I have 'HostbasedUsesNameFromPacketOnly
yes'. With
> this setup I can log into my regular user account 'thomas', so
hostbased
> authentication at least seems to be configured correctly. But root logins
are
> rejected like this:
>
> root at htpc:~# ssh sarkovy
> root at sarkovy: Permission denied (hostbased).
>
> I created a /root/.shosts file containing
>
> fd46:1ffa:d8e0::2 root
> htpc.koeller.dyndns.org root
>
> to no avail. Enabling debug output on both the server and the client did
not
> produce anything hinting at the reason why logins are failing, or at least
I
> have been unable to spot anything like that.
hostbased authentication can be tricky to debug, and basically impossible
without logs from both the client and server.
Did you set EnableSSHKeysign in the client's /etc/ssh/ssh_config ?
-d